- Newest
- Most votes
- Most comments
Hi,
This is something currently being addressed and at this time, there is no workaround. I went and tested this in my own environment, but at this time the Auto-Scaled instances are using the current default certificate, in which case is still 'rsa-ca-2019'.
To set the autoscaled Aurora reader instances to use a specific CA, you can specify the certificate identifier when creating the Aurora global database cluster.
When creating the cluster through the AWS CLI or RDS API, include the
--db-cluster-parameter-group-name
parameter and specify the parameter group that references the desired CA.
For existing clusters, you can modify the DB cluster parameter group to set the
ssl_ca_file
and
ssl_ca_path
parameters to the CA you want to use. Then modify the DB cluster and specify this updated parameter group.
Any new reader instances added through autoscaling will then use this specified CA.
Checking that your application is connecting to the proper reader endpoints is also important to ensure connections are using the expected CA after any upgrades or modifications to the cluster.
https://repost.aws/knowledge-center/troubleshoot-connecting-aurora
Relevant content
- asked 7 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hey. Thanks for the reply. It's unfortunate to hear that there's no workaround.
If that's the case then are the autoscale-provisioned DB instances gonna automatically use a newer CA once the
rsa-ca-2019
expires?Our team's are aware of the potential issue if
rsa-ca-2019
expires and the auto-scaled instances use these defaults. I would expect a fix before this happens.